Welcome to Thomas Insights every day, we publish the latest news and analysis to keep our readers up to date on whats happening in industry. Sign up here to get the days top stories delivered straight to your inbox.

This article is sponsored byPreVeil, a provider of end-to-end encrypted email and file sharing systems designed to protect critical information and simplify CMMC, NIST 800-171, and ITAR compliance.

Achieving complete cybersecurity is a never-ending pursuit, especially as the number of cyberattacks continues to rise. Thats why the National Security Agency (NSA) recommends a Zero Trust framework, which assumes that a breach is inevitable or has already occurred. Additionally, the Department of Defense (DoD) is increasing its compliance requirements for contractors, making it more important than ever to implement robust and effective security measures. To remain competitive and demonstrate the ability to protect critical information, manufacturers, especially in the defense sector, have to show compliance with stringent cybersecurity standards, such as ITAR, CMMC, and NIST 800-171.

To assist,PreVeiloffers end-to-end encrypted email and file sharing systems designed to protect Controlled Unclassified Information (CUI) while also simplifying compliance. In addition to the product itself, PreVeil provides a complete compliance package, including documentation, templates, definitions, training videos, and more to educate customers and simplify their compliance process.

We strive to simplify security and compliance for manufacturers with an emphasis on ease of use and assisting our customers throughout their security and compliance journey, says Sanjeev Verma, chairman and co-founder of PreVeil. Our solutions are geared towards reducing the cost burden that often comes with achieving compliance, which is of paramount importance to our manufacturing customers.

Through the use of Zero Trust security, PreVeil ensures that information is only encrypted and decrypted on a users device, making it useless to attackers if hacked. PreVeils cybersecurity solutions are trusted by more than 800 defense manufacturers, financial institutions, law firms, consumer-focused businesses, and more.

Sanjeev Verma (SV):PreVeil is a company that builds end-to-end encrypted email and file sharing systems. These products are generally used by manufacturing companies, particularly defense contractors, as well as law firms, and financial institutions. What distinguishes us is that we offer arguably some of the best cybersecurity in the world. Defense contractors, law firms, and financial firms use us because we sit at the cusp of not only providing best-in-class cybersecurity solutions but also simplifying their compliance mandates.

As the world is moving forward, theres a greater demand for cybersecurity as well as compliance. For these regulated segments such as manufacturing, particularly for defense, we sit at the intersection of providing simple solutions that can reduce the cost and complexity of both cybersecurity and compliance for these companies.

SV:We are seeing increasing compliance requirements imposed on companies. In the defense segment, companies are required to protect critical information, which should be self-evident, but they are increasing regulations to protect whats called Controlled Unclassified Information (CUI). This includes contract information, defense designs, and so forth, that manufacturers have in their possession.

Specific compliance regimes that drive the adoption of our products include NIST 800-171, which is part of federal defense contracts; CMMC, which is an upcoming regulation that requires manufacturers to prove they are adequately protecting information; and ITAR, which involves defense companies and others sending information overseas.

With an increased emphasis on compliance, customers often come to us to get a clearer understanding of what the compliance regulations ask of them. CMMC, NIST 800-171, and ITAR can be very complex for a manufacturer to understand, so we assist customers in simplifying those complex regulations and providing them with an understanding of what is required of them. Then, we explain how PreVeils encrypted email and file-sharing systems can be used to provide the security and compliance these regulations require, while also simplifying and reducing the cost of their security and compliance journey.

SV:We simplify compliance with an uncompromising focus on cybersecurity. One way that we differentiate ourselves is that we dont cut corners to make you compliant. We come in and provide you with the best cybersecurity available anywhere in the world and yet simplify your compliance because our products are very easy to use. We provide an entire solution not only do we provide the product itself but also the full compliance package. We help our customers adopt our products as well as provide the documentation needed to ultimately get compliance.

We also have a series of help articles and videos that we call PreVeil University. Once you have the product and the documentation, you can then go to PreVeil University to get any of your questions answered regarding compliance and security.

At the end of the day, we are true to our mission of protecting critical information. We remain laser-focused on a security-first approach to compliance while bearing in mind, simplify, simplify, simplify.

SV:The entire federal government is now requiring NIST 800-171 compliance as the framework by which suppliers to the government, particularly the Defense Department, need to demonstrate security. NIST 800-171 is a series of 110 controls that need to be implemented in order to show that you are adequately protecting information in your systems, whether it be on phones, computers, or elsewhere.

A defense contractor used our system, and a United States Defense Department audit authority audited that customer for NIST 800-171 compliance. Our customer achieved a perfect 110 out of 110 controls. They used PreVeil in conjunction with other policies and procedures, and the combined result was the highest level of score for their system.

This not only proves that they were successfully protecting defense information, but it also provides a competitive advantage. Now, when prime contractors are looking for a supplier, this customer will be able to demonstrate their perfect compliance score.

SV:Compliance is a primary trend, but the other large trend is cybersecurity itself, particularly a concept referred to by the US government as Zero Trust. A lot of systems are protected by whats called perimeter defense. This means that security systems such as firewalls and others have been put in place to prevent attackers from accessing the information. What modern cybersecurity has recognized is that no matter how good the perimeter is, attackers will still get through because they are very sophisticated.

PreVeil was founded out of research at MIT using this principle of Zero Trust, which means we assume that everybody, including PreVeil, will be attacked. Systems that employ Zero Trust cybersecurity protect your information even when an attacker is able to access it.

We achieve this through end-to-end encryption. This means that emails and files remain encrypted at all times the only person who can decrypt it is the recipient. Even if the attacker gets to the servers where this information is stored, all they will get is gibberish because the information remains encrypted, and there are no keys available on those servers to decrypt them. End-to-end encryption represents one of the key frameworks by which Zero Trust is accomplished.

For more information about their end-to-end email and file sharing encryption systems, contact PreVeil today orbook a demo.

See the original post here:
Simplify DoD Compliance with End-to-End Encrypted Email and File ... - ThomasNet News

With promises of unprecedented visibility into encrypted traffic across virtual machines (VM) and container workloads, deep observability company Gigamon has launched a new "Precryption" technology.

Gigamon's GigaVUE 6.4 will deploy the Precryption technology to enable IT and security teams to conduct encryption-centric threat detection, investigation, and response across the hybrid cloud infrastructure.

"There's encryption everywhere now, including traffic or lateral movement within all virtualized and containerized environments, which is a good thing because it provides confidentiality for all of our information," said Michael Dickman, chief product officer at Gigamon. "The danger is that attackers can use encryption to hide their own movement and their own attacks, making it look like just another encrypted traffic flow, and that goes undetected."

The new Precryption technology will be delivered as a part of Gigamon's existing licenses and will be charged per usage (eg. Terabytes).

The new Precryption technology by Gigamon leverages Linux's Extended Berkeley Packet Filter (eBPF) technology to insert custom observability programs into the workload networks and bring them back to a centralized location.

eBPF is a flexible technology in the Linux kernel that allows users to write and load custom programs that run within the kernel space. eBPF programs are typically used for network packet filtering, monitoring, and other kernel-level tasks, but their use cases have expanded to various aspects of system observability and control.

Simply put, "Gigamon's new technology allows network traffic to be inspected by capturing traffic before encryption or after decryption using eBPF," said Christopher Steffen, vice president of research at EMA. "It doesn't require encryption keys and doesn't need to perform resource-intensive decryption."

"With the new tech, you don't actually have to manage, track or use keys," Dickman said. "There's no computing needed for an additional overlay of secondary decryption because that's how decryption usually works where you interrupt a traffic stream, and then decrypt it and re-encrypt, which is quite expensive, compute-wise."

The latest GigaVUE release has added a few other capabilities, other than the Precryption technology, to support visibility and decryption in a host of environments.

With the new "Cloud SSL decryption" capability, Gigamon looks to extend classic on-premises decryption capabilities to virtual and cloud platforms. "Application Metadata Intelligence" is another capability that allows for the detection of vulnerabilities and suspicious activities across both managed and unmanaged hosts.

Most significant and integral to Gigamon's Precryption is the "Universal Cloud Tap" capability that serves a single, executable tap for platforms to allow control and configuration of eBPF. "UCT is how we pull out visibility to network data in containers as well as VMs in a very efficient manner," Dickman said.

Gigamon's latest capabilities are well received by analysts who deem it long overdue. "So many organizations have network encryption requirements, but many do not have a method of adhering to these requirements of implementing network encryption while retaining the ability to monitor network traffic," Steffen said. "Precryption solves this problem, allowing security and network administrators to deliver on encryption controls while maintaining their ability to protect company resources by not losing visibility on their internal and external network traffic."

See the original post:
Gigamons Precryption to block attacks hiding behind encryption - CSO Online

On Oct. 23, 2019, Google published a groundbreaking scientific research article announcing one of the holy grails of quantum computing research: For the first time ever, a quantum computer had solved a mathematical problem faster than the worlds fastest supercomputer. In order to maximize impact, the Google team had kept the article tightly under wraps in the lead-up to publicationunusually, they had not posted a preprint to the arXiv preprint server.

The article sank with barely a ripple in the expert academic community.

That wasnt because anyone disputed the significance of the Google teams milestone. Many experts still consider Googles demonstration to be the most important milestone in the history of quantum computing, comparable to the Wright brothers first flight in 1903. But most experts in the field had already read the article. A month earlier, a NASA employee who was involved with the research had accidentally posted a draft of the article on NASAs public web site. It was online for only a few hours before being taken back down, but that was long enough. Schrdingers cat was out of the bag.

This anecdote illustrates a fact with important policy implications: It is very difficult to keep groundbreaking progress in quantum computing secret.

One of the most important quantum computing algorithms, known as Shors algorithm, would allow a large-scale quantum computer to quickly break essentially all of the encryption systems that are currently used to secure internet traffic against interception. Todays quantum computers are nowhere near large enough to execute Shors algorithm in a practical setting, and the expert consensus is that these cryptanalytically relevant quantum computers (CRQCs) will not be developed until at least the 2030s.

Although the threat is not yet imminent, the consequences of a hostile actors execution of Shors algorithm could be incredibly dire. Encryption is at the very bedrock of most cybersecurity measures. A hostile actor who could read encrypted information transmitted over the internet would gain access to an immeasurable amount of critically sensitive informationfrom personal information such as medical or criminal records, to financial information such as bank account and credit card numbers, to cutting-edge commercial research and development, to classified national security information. The U.S. National Security Agency has said that the impact of adversarial use of a quantum computer could be devastating to [National Security Systems] and our nation.

Fortunately, preemptive countermeasures are already being put into place. The U.S. National Institute of Standards and Technology (NIST) is standardizing new post-quantum cryptography (PQC) protocols that are expected to resist attacks from both standard and quantum computers. Upgrading communications systems to use post-quantum cryptography will be a long, complicated, and expensive process that will extend over many years. The U.S. government has already begun the process: In May 2022, President Biden issued National Security Memorandum 10, which gives directives to all U.S. government agencies regarding the U.S. governments transition to post-quantum cryptography. Recognizing the long timelines that this transition will require, the memorandum sets the goal of mitigating as much of the quantum risk as is feasible by 2035.

Several experts have stated that one of the most important factors that will determine the severity of the threat posed by a CRQC is whether or not the public knows of the CRQCs existence. As soon as the existence of the CRQC becomes public knowledgeor is even considered plausibleand the threat becomes concrete, most vulnerable organizations will immediately move to upgrade all their communications systems to post-quantum cryptography. This forced transition may well be very expensive, chaotic, and disruptive, but it will fairly quickly neutralize most attack vectors (with one important exception mentioned below). The true nightmare scenario would be if a hostile actor (such as a criminal or terrorist organization or a hostile foreign government) covertly operated a CRQC over a long time period before PQC becomes universal, allowing the actor to collect a huge amount of sensitive information undetected.

Fortunately, it is extremely unlikely that any organization will develop a CRQC in secret, for at least four interrelated reasons.

First, anyone trying to develop a high-performance quantum computer will face stiff competition from commercial industry. Quantum computers have the potential to enable many commercial applications that have nothing to do with decryption, such as drug design, materials science, and numerical optimization. While there is huge uncertainty in the pace of technology development and the timelines for useful applications, some people have predicted that quantum computers could deliver over a trillion dollars in economic value over the next decade. Many private companies are racing to produce state-of-the-art quantum computers in order to profit from these applications, and there is currently no clear technical industry leader. Moreover, these companies are collectively extremely well funded: U.S. quantum computing startups alone have raised over $1.2 billion in venture capital, and that total does not include other major players such as national laboratories, large self-funding companies, or non-U.S. companies.

In the near term, these companies face some incentives to publicize their technical capabilities and other incentives to keep them proprietary. But in the long run, companies need to advertise their capabilities at a reasonable level of technical detail in order to attract customers. The closer the state of the art in commercial industry comes to the technical performance required to execute Shors algorithm, the clearer the threat will become to potential targets, and the more urgently they will prioritize upgrading to PQC.

Any organization attempting to secretly develop a CRQC would therefore need enormous financial resources in order to compete with the well-funded and competitive commercial industry, and it would need to stay far ahead of that industry in order to keep the element of surprise.

The second reason that a CRQC is unlikely to be developed in secret is that a relatively small number of people are at the cutting edge of quantum computing development in industry or academia, and they are well known within the expert community. Any organization attempting to secretly develop a CRQC would need to acquire world-class talentand if many of the greatest technical experts suddenly left their organizations or stopped publishing in the technical literature, then that fact would immediately be fairly evident, just as it was during the Manhattan Project. (However, this point may become less relevant in the future as the commercial industry matures. As the pool of expert talent grows and more information becomes business proprietary, public information about the top technical talent may decrease.)

Third, a CRQC might be physically difficult to hide. Its extremely difficult to estimate the physical resources that will be required to operate a CRQC, but my recent research suggests that a CRQC might plausibly draw 125 megawatts of electrical power, which is a significant fraction of the total power produced by a typical coal-fired power plant. A device that requires its own dedicated power plant would leave considerable evidence of its existence. Certain very capable organizations (such as national governments) might be able to conceal such a project, but doing so would not be easy and could well be impossible for smaller organizations.

The fourth reason has to do with the relative resources required for various quantum computing applications. As with most technical questions regarding the future of quantum computers, there is a huge amount of uncertainty here. But there is fairly strong theoretical evidence that many commercial applications of quantum computers will be significantly technically easier to implement than Shors algorithm. There is already very active research into the question of whether even todays crude quantum computers, known as noisy intermediate-scale quantum computers, might be able to deliver practical applications in the near future, although we dont yet know for sure.

In a more conservative technical scenario, all useful quantum applications might require a technically challenging hardware stabilization process known as quantum error correction, which has very high hardware requirements. But even in this scenario, there is evidence that some commercial applications of quantum computers (like the scientific modeling of chemical catalysis) will require lower hardware resources than Shors algorithm does. For example, one recent analysis estimated that computationally modeling a chemical catalyst used for direct air carbon capture would require only 20 percent as many qubits as executing Shors algorithm would. (A qubit is the basic building block of a quantum computer and one of the simplest ways to quantify its hardware performance.)

These analyses imply that commercial applications of quantum computing will very likely become technically feasible before decryption does. Unless an organization attempting to develop a CRQC is far more technically advanced than the commercial sectorwhich is unlikely, given the potentially huge economic value mentioned abovecommercial companies will probably beat the organization to applications, and they will announce their success. Even in the unlikely event that an organization does manage to develop a CRQC before the commercial industry develops a commercially useful quantum computer, that organization will face an enormously high opportunity cost of not using its CRQC for commercial applications that could deliver billions of dollars of value. Even if the organization were government sponsored, its government sponsor would face an enormous economic incentive to use its quantum computer for commercial applications rather than for intelligence collection.

What this means for policymakers is that the ultimate worst-case scenario, in which a hostile actor secretly deploys a CRQC for many years against totally unsuspecting victims, is highly unlikely. This does not in any way lessen the importance of quickly upgrading all critical communications systems to post-quantum cryptography, however, since doing so defends against harvest-now-decrypt-later attacks, in which a CRQC is deployed retroactively against saved encrypted data that was intercepted previously.

Operators of communications systems that transmit highly sensitive information should already be preparing to upgrade those systems cryptography to PQC, and they should perhaps develop contingency plans for even further accelerating that adoption if signs arise that CRQCs are approaching unexpectedly quickly. But policymakers should also understand that the commercial applications of quantum computers will probably emerge well before intelligence-collection applications do. This conclusion may carry implications regarding appropriate national-security-related policies such as export controls and outbound investment restrictions, as well as the broader balance of risks and benefits around quantum computers.

Finally, policymakers and cybersecurity analysts should avoid messaging that emphasizes the risk that CRQCs developed in secret could be imminent or already operational (unless, of course, they have additional information that runs counter to the points raised above). There is already more than enough reason to upgrade our communications systems to resist attacks from quantum computers as soon as possible. Even if completely unexpected attacks from a black-swan quantum computer are unlikely, attacks from known or suspected quantum computers would already be plenty bad enough.

Follow this link:
When a Quantum Computer Is Able to Break Our Encryption, It Won't ... - Lawfare

Meta-owned WhatsApp is reportedly rolling out an 'automatic security code verification' feature for end-to-end encryption to a limited number of beta testers on Android.

COMMERCIAL BREAK

SCROLL TO CONTINUE READING

With this feature, the app will try to automatically verify if messages are end-to-end encryption without requiring any user intervention, according to WABetaInfo.

This process will be called Key Transparency, enhancing the overall security and privacy of users' conversations by checking if they are using a secure connection.

However, WhatsApp still provides users with the manual verification feature in case the automatic verification fails or it is not available.

According to the report, this feature is especially useful in situations where traditional QR code scanning or manual verification is difficult, such as when users need to easily verify encryption remotely.

By automating security code verification, the report said that WhatsApp hopes to provide added security and convenience for their users while verifying end-to-end encryption with no additional effort on their part.

Meanwhile, WhatsApp is reportedly working on bringing "third-party chat" support on Android in order to comply with the new European Union (EU) regulations.

The new feature will offer users the ability to communicate with each other using different apps.

For instance, someone from the Signal app could send a message to a WhatsApp user, even without a WhatsApp account.

The feature comes just days after the European Commission confirmed that Meta fits the definition of a "gatekeeper" under the EU's Digital Markets Act (DMA), which mandates that communication software like WhatsApp allow interoperability with third-party messaging apps by March 2024.

See the rest here:
WhatsApp testing automatic security code verification for end-to-end encryption - Zee Business